Reporting

one of two reports won't accelerate

RVDowning
Contributor

I have two reports which are identical with the exception of the earliest modifier. One has earliest="8/22/2014:00:00:00" , the other earliest=-6months. (The names of the reports are also different.)

The former works as expected. I can't get the latter one to accelerate. In Report Acceleration Summaries the one that works says "Pending Updated: 31m ago" and the one that doesn't work says "Building summary - 0% Updated: Never" and that status never changes. I've tried the Rebuild option under the Summary ID and also the Rebuild option under the Normalized Summary ID, but can't seem to get it to work.

Any ideas?

Tags (1)
0 Karma

lguinn2
Legend

There are several valid reasons that this could happen.

If the search returns less than 100K events, Splunk will not create the acceleration summary - it's faster for Splunk to do the search as needed. If the number of events grows to greater than 100K, Splunk will then create the summary. I think this is the most likely reason.

Look at Manage Report Acceleration for more ideas.

0 Karma

RVDowning
Contributor

Given that it selected 16,103,292 events I don't think that this is the issue. The one that does work selected 16,943,827 events.

0 Karma
Get Updates on the Splunk Community!

Unlock New Opportunities with Splunk Education: Explore Our Latest Courses!

At Splunk Education, we’re dedicated to providing top-tier learning experiences that cater to every skill ...

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...